Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-27950

CVE-2020-27950: Apple iPadOS Information Disclosure Flaw

CVE-2020-27950 is an information disclosure vulnerability in Apple iPadOS caused by a memory initialization issue. Malicious apps could exploit this to access kernel memory. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2020-27950 Overview

CVE-2020-27950 is a kernel memory initialization vulnerability affecting Apple's XNU kernel across macOS, iOS, iPadOS, and watchOS. The flaw stems from improperly initialized Mach message trailers, allowing a malicious local application to read uninitialized kernel memory. Apple patched the issue in macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, and multiple supplemental updates. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming in-the-wild exploitation as part of a zero-day chain targeting Apple devices. The weakness is categorized under [CWE-665: Improper Initialization].

Critical Impact

A malicious local application can disclose kernel memory contents, leaking sensitive data such as pointers used to defeat Kernel Address Space Layout Randomization (KASLR) and enable further kernel exploitation.

Affected Products

  • Apple iOS prior to 14.2 and iOS 12.4.9
  • Apple iPadOS prior to 14.2
  • Apple macOS Big Sur prior to 11.0.1, Catalina 10.15.7 Supplemental, and Mojave/High Sierra (Security Update 2020-006)
  • Apple watchOS prior to 7.1, 6.2.9, and 5.3.9

Discovery Timeline

  • 2020-12-08 - CVE-2020-27950 published to NVD
  • 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2020-27950

Vulnerability Analysis

The vulnerability resides in the XNU kernel's Mach inter-process communication (IPC) subsystem. When the kernel constructs Mach message trailers returned to userland, certain trailer fields are not fully initialized before being copied out. A local attacker invoking specific mach_msg system calls can receive trailer structures containing residual data from previously used kernel memory.

The disclosed bytes frequently contain pointers, stack canaries, or fragments of sensitive kernel structures. Attackers use these leaks to bypass KASLR and pivot toward kernel code execution. This vulnerability was reportedly chained with CVE-2020-27932 and CVE-2020-27930 in a kernel exploitation chain observed in the wild.

Root Cause

The root cause is improper initialization [CWE-665] of Mach message trailer fields in the XNU kernel. Trailer memory is allocated and partially populated, but unused regions retain stale heap or stack contents. When the message is delivered to a userland recipient, the kernel returns those uninitialized bytes verbatim across the user boundary.

Attack Vector

Exploitation requires local code execution, typically through a malicious application installed or sideloaded on the device. The attacker sends crafted Mach messages and inspects the returned trailers to harvest kernel memory contents. No special privileges are required beyond the ability to execute user-mode code and issue Mach IPC syscalls. The exploit is reliable because trailer fields are predictably returned to userspace on each message receipt. Technical details were publicly documented in the Packet Storm Security Disclosure and the Full Disclosure Mailing List Post.

Detection Methods for CVE-2020-27950

Indicators of Compromise

  • Unsigned or sideloaded applications issuing high volumes of mach_msg system calls with non-standard trailer options
  • Processes performing kernel address resolution shortly before attempting privilege escalation primitives
  • Devices running unpatched iOS 14.1 or earlier, macOS Catalina 10.15.7 without supplemental update, or watchOS 7.0 and earlier

Detection Strategies

  • Monitor endpoints for apps requesting unusual Mach IPC behavior or attempting to enumerate kernel symbols from userland
  • Correlate process anomalies with subsequent privilege escalation or jailbreak indicators using behavioral analytics
  • Inventory Apple device fleets and flag any OS version below the patched baselines as exposed

Monitoring Recommendations

  • Ingest MDM and endpoint telemetry into a centralized analytics platform to track OS patch compliance across macOS, iOS, iPadOS, and watchOS fleets
  • Alert on applications that escape sandbox boundaries or escalate privileges following Mach IPC activity
  • Review the CISA Known Exploited Vulnerabilities catalog entry for required federal remediation timelines

How to Mitigate CVE-2020-27950

Immediate Actions Required

  • Update all Apple devices to the fixed releases: macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, watchOS 6.2.9, watchOS 5.3.9, iOS 12.4.9, macOS Catalina 10.15.7 Supplemental Update, and Security Update 2020-006 for Mojave and High Sierra
  • Enforce patch compliance through MDM and block enrollment of devices running unpatched OS versions
  • Restrict installation of untrusted or sideloaded applications, particularly on iOS and iPadOS devices outside the App Store

Patch Information

Apple released coordinated security updates documented in advisories HT211928, HT211929, HT211931, HT211940, HT211944, HT211945, HT211946, and HT211947. The fix ensures Mach message trailer fields are fully zero-initialized before being returned to userland.

Workarounds

  • No vendor-supplied workaround exists; patching is the only effective remediation
  • Limit local code execution exposure by enforcing application allowlisting and removing unused or untrusted apps
  • Apply principle of least privilege and disable developer mode and sideloading on production devices
bash
# Verify current macOS version and confirm patched baseline
sw_vers -productVersion

# On managed fleets, query patch status via MDM (example: jamf)
sudo jamf recon

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne